From: Tobias Brunner <tobias@strongswan.org>
Date: Fri, 17 Nov 2017 08:30:02 +0000 (+0100)
Subject: NEWS: Added some news for 5.6.1
X-Git-Tag: 5.6.1~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=caee751d13db1878e86f7f668b1cb8792098187d;p=thirdparty%2Fstrongswan.git

NEWS: Added some news for 5.6.1
---

diff --git a/NEWS b/NEWS
index 362b03a011..fe0d6f9c27 100644
--- a/NEWS
+++ b/NEWS
@@ -1,7 +1,21 @@
 strongswan-5.6.1
 ----------------
 
-- The sec-updater tool checks for security updates dpkg-based repositories
+- In compliance with RFCs 8221 and 8247 several algorithms were removed from the
+  default ESP/AH and IKEv2 proposals, respectively (3DES, Blowfish and MD5 from
+  ESP/AH, MD5 and MODP-1024 from IKEv2).  These algorithms may still be used in
+  custom proposals.
+
+- Added support for RSASSA-PSS signatures.  For backwards compatibility they are
+  not used automatically by default, enable charon.rsa_pss to change that.  To
+  explicitly use or require such signatures with IKEv2 signature authentication
+  (RFC 7427), regardless of whether that option is enabled, use ike:rsa/pss...
+  authentication constraints.
+
+- The pki tool can optionally sign certificates/CRLs with RSASSA-PSS via the
+  `--rsa-padding pss` option.
+
+- The sec-updater tool checks for security updates in dpkg-based repositories
   (e.g. Debian/Ubuntu) and sets the security flags in the IMV policy database
   accordingly. Additionally for each new package version a SWID tag for the
   given OS and HW architecture is created and stored in the database.
@@ -12,6 +26,20 @@ strongswan-5.6.1
   reference hash measurements. This has been fixed by creating generic product
   versions having an empty package name.
 
+- A new timeout option for the systime-fix plugin stops periodic system time
+  checks after a while and enforces a certificate verification, closing or
+  reauthenticating all SAs with invalid certificates.
+
+- The IKE event counters, previously only available via ipsec listcounters, may
+  now be queried/reset via vici and the new swanctl --counters command. They are
+  provided by the new optional counters plugin.
+
+- Class attributes received in RADIUS Access-Accept messages may optionally be
+  added to RADIUS accounting messages.
+
+- Inbound marks may optionally be installed on the SA again (was removed with
+  5.5.2) by enabling the mark_in_sa option in swanctl.conf.
+
 
 strongswan-5.6.0
 ----------------